The first one's the obvious one: somehow convince a user to plug a USB flash drive or similar into their Windows PC, without disabling autostarting. The PC will automatically run whatever program the AUTORUN.INF file on the flash drive tells it to, and this can then do whatever it likes to the PC. Of course, this won't work if the user holds down SHIFT, disables auto-starting or uses a machine with a less-brain-damaged operating system.
The second method is more intriguing. To allow fast data transfers along USB and FireWire buses, such buses implement direct memory access (DMA). What this means is that anything plugged into them can access (or modify) anything mapped into the machine's memory space at the hardware level, bypassing the operating system altogether. Of course, it requires more work (the device has to be an actual programmable computer, and not just a flash drive), but once that hurdle is crossed, the possibilities, as they say, are endless:
Recently a number of computer security researchers realized the tremendous potential of using DMA over FireWire or USB as an attack vector. At the CanSec West '05 conference, Michael Becher, Maximillian Dornseif and Christian N. Klein demonstrated an exploit that used DMA read arbitrary memory locations of a FireWire-enabled system. The exploit was based on an iPod running Linux. For example, they could plug their customized iPod into a victim computer and grab a copy of that computer's screen--not just without the computer's permission, but even without its knowledge!The article goes on to mention that this attack has not been demonstrated on USB devices, only with FireWire. If it works with USB, it could be interesting. I imagine that sooner or later, they'll start making USB chipsets which take steps to filter DMA requests.
Aside: I wonder whether it'd be possible to use such an approach on, say, a PlayStation 2 (which has two USB ports on the front, sitting rather uselessly), or indeed any other notionally tamperproof computer-based device with USB/FireWire ports. If one could access arbitrary memory inside such a device, one could get up to all sorts of mischief.
USB on the PS2 isn't DMA enabled, it's very basic. Believe me, I know ;) Those ports can be very useful, however - our latest engine has a keyboard/mouse based editor running through the USB ports native to the PS2.
What's more interesting is the memory card slots, which can do quite a few clever tricks. For example, our embedded debugging environment boots from a special memory card. I'd imagine all these facilities are only available on the TestStation, however - a kind a 'chipped PS2' which Sony themselves sell to developers.
Are the USB ports on a consumer PS2 of any use? The firmware doesn't seem to do anything with them (like, for example, browsing mass storage devices). Do any titles access them?
Also, didn't early PS2s have a FireWire port?
They've just rediscovered something which got a bit of publicity after MacHack in 2002 - here's a good summary: http://rentzsch.com/macosx/securingFirewire